initial

26 files changed, 496 insertions, 0 deletions

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..8f6ce36
--- /dev/null
+++ b/README.md
@@ -0,0 +1,3 @@
+## ansible
+
+my personal playbook for my servers
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..73ee9b1
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,2 @@
+[defaults]
+inventory = ./inventory
diff --git a/base.yml b/base.yml
new file mode 100644
index 0000000..9689f4a
--- /dev/null
+++ b/base.yml
@@ -0,0 +1,5 @@
+- name: Configure Alpine VMs
+  hosts: alpine
+  become: true
+  roles:
+    - alpine
diff --git a/group_vars/all.yml b/group_vars/all.yml
new file mode 100644
index 0000000..28c4706
--- /dev/null
+++ b/group_vars/all.yml
@@ -0,0 +1,3 @@
+ssh_authorized_keys:
+  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTZhIaet4Sxb9n7W/LJezqb5XmgAXWzjS907rUdeukq freya@freyacat.org"
+  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzMST2uiVueyaMfF/BdnOCwdkmHa0lSjh2U6hByUHlj backup"
diff --git a/group_vars/alpine.yml b/group_vars/alpine.yml
new file mode 100644
index 0000000..d44a2d2
--- /dev/null
+++ b/group_vars/alpine.yml
@@ -0,0 +1 @@
+alpine_version: "v3.23"
diff --git a/inventory/hosts b/inventory/hosts
new file mode 100644
index 0000000..26431e3
--- /dev/null
+++ b/inventory/hosts
@@ -0,0 +1,19 @@
+[alpine]
+auth.in.freya.cat
+cloud.in.freya.cat
+services.in.freya.cat
+plex.in.freya.cat
+ca.in.freya.cat
+minecraft.in.freya.cat
+radius.in.freya.cat
+sip.in.freya.cat
+git.in.freya.cat
+matrix.in.freya.cat
+xmpp.in.freya.cat
+vpn.in.freya.cat
+cron.in.freya.cat
+
+[alpine:vars]
+ansible_user=root
+ansible_become=false
+ansible_python_interpreter=/usr/bin/python
diff --git a/roles/alpine/files/Caddyfile b/roles/alpine/files/Caddyfile
new file mode 100644
index 0000000..8d4e967
--- /dev/null
+++ b/roles/alpine/files/Caddyfile
@@ -0,0 +1,73 @@
+{
+	http_port 80
+	https_port 443
+
+	email freya@freyacat.org
+	acme_ca https://ca.in.freya.cat/acme/acme/directory
+}
+
+(logs) {
+	log {
+		output file /var/log/caddy {
+			roll_size 10mb
+			roll_keep 7
+			roll_keep_for 720h
+		}
+	}
+}
+
+(headers) {
+	#header ?Access-Control-Allow-Origin "*"
+	header ?X-Content-Type-Options "nosniff"
+	header Permissions-Policy "interest-cohort=()"
+	header Referrer-Policy "same-origin"
+	header Strict-Transport-Security "max-age=31536000"
+}
+
+(compression) {
+	encode {
+		gzip 6
+		zstd
+	}
+}
+
+(acme) {
+	redir /.well-known/acme-challenge /.well-known/acme-challenge/
+	handle_path /.well-known/acme-challenge/* {
+		file_server browse
+		root * /var/www/html/.well-known/acme-challenge
+	}
+}
+
+(base) {
+	import logs
+	import headers
+	import compression
+	import acme
+}
+
+(http) {
+	try_files {path}.html {path}
+	file_server
+}
+
+(wellknown) {
+	header ?Access-Control-Allow-Origin "*"
+	redir /.well-known /.well-known/
+	handle_path /.well-known/* {
+		file_server browse
+		root * /static/wellknown
+	}
+}
+
+(protect) {
+	forward_auth https://forward.auth.in.freya.cat {
+		uri /
+		header_up Host forward.auth.in.freya.cat
+		copy_headers {
+			X-Webauth-Username X-Webauth-Email X-Webauth-First-Name X-Webauth-Last-Name
+		}
+	}
+}
+
+import /etc/caddy/*.conf
diff --git a/roles/alpine/files/freyanet.crt b/roles/alpine/files/freyanet.crt
new file mode 100644
index 0000000..36309d8
--- /dev/null
+++ b/roles/alpine/files/freyanet.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBnDCCAUKgAwIBAgIRAPVH+EAJd7BV1oocsZ1LQLEwCgYIKoZIzj0EAwIwLDEQ
+MA4GA1UEChMHZnJleWFDQTEYMBYGA1UEAxMPZnJleWFDQSBSb290IENBMB4XDTIz
+MTAyODEzNDAzNVoXDTMzMTAyNTEzNDAzNVowLDEQMA4GA1UEChMHZnJleWFDQTEY
+MBYGA1UEAxMPZnJleWFDQSBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
+QgAEvVC5H2UQZQxMJxKnWkNF7kKNXVDpY2N81yFXRb+K/MKw3aQTI1ukJ6A3AmZP
+P9urbt/wOHI2zBuodGi4gaLBSaNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB
+/wQIMAYBAf8CAQEwHQYDVR0OBBYEFGYaattGlZxu5noFWxAnLtpMqJvJMAoGCCqG
+SM49BAMCA0gAMEUCIQCCyubbf8AUq+PPrnBRQ/WFYKH3mwUXcDT7VZoLm+/q+gIg
+YdSLl4AnWfDLlaTTZspft2fq5rEFCB5N+4p/67vSsmY=
+-----END CERTIFICATE-----
diff --git a/roles/alpine/files/sshd_config b/roles/alpine/files/sshd_config
new file mode 100644
index 0000000..f2ec50e
--- /dev/null
+++ b/roles/alpine/files/sshd_config
@@ -0,0 +1,15 @@
+StrictModes yes
+Port 22
+PasswordAuthentication no
+KbdInteractiveAuthentication no
+PermitRootLogin yes
+AuthorizedKeysFile	.ssh/authorized_keys /etc/ssh/authorized_keys
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding yes
+PrintMotd no
+AcceptEnv LANG LC_*
+Subsystem	sftp	internal-sftp
+
+Match Address 10.*
+	PasswordAuthentication yes
diff --git a/roles/alpine/files/tmux-window.sh b/roles/alpine/files/tmux-window.sh
new file mode 100644
index 0000000..1cdacf0
--- /dev/null
+++ b/roles/alpine/files/tmux-window.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+if tmux list-windows | grep -q "^$1:"; then
+        tmux select-window -t "$1"
+else
+        tmux new-window -t "$1"
+fi
diff --git a/roles/alpine/files/tmux.conf b/roles/alpine/files/tmux.conf
new file mode 100644
index 0000000..f468d55
--- /dev/null
+++ b/roles/alpine/files/tmux.conf
@@ -0,0 +1,105 @@
+
+# change prefix
+set -g prefix C-a
+unbind C-b
+bind C-a send-prefix
+
+# split windows like vim
+# vim's definition of a horizontal/vertical split is reversed from tmux's
+bind s split-window -v
+bind v split-window -h
+
+# split panes using | and -
+bind - split-window -v
+bind | split-window -h
+unbind '"'
+unbind %
+
+# reload config file
+bind r source-file ~/.tmux.conf
+
+# large history
+set -g history-limit 10000
+
+# start windows and panes at 1, not 0
+set -g base-index 1
+setw -g pane-base-index 1
+
+# switch term
+bind 1 run-shell "/usr/local/bin/tmux-window.sh 1"
+bind 2 run-shell "/usr/local/bin/tmux-window.sh 2"
+bind 3 run-shell "/usr/local/bin/tmux-window.sh 3"
+bind 4 run-shell "/usr/local/bin/tmux-window.sh 4"
+bind 5 run-shell "/usr/local/bin/tmux-window.sh 5"
+bind 6 run-shell "/usr/local/bin/tmux-window.sh 6"
+bind 7 run-shell "/usr/local/bin/tmux-window.sh 7"
+bind 8 run-shell "/usr/local/bin/tmux-window.sh 8"
+bind 9 run-shell "/usr/local/bin/tmux-window.sh 9"
+bind 0 run-shell "/usr/local/bin/tmux-window.sh 10"
+bind S choose-tree
+
+# terminal style
+set -g default-terminal "tmux-256color"
+set -g terminal-overrides "*:colors=256"
+set -a terminal-features "xterm-256color:RGB"
+
+# focus events
+set -g focus-events on
+
+# move around panes with hjkl, as one would in vim after pressing ctrl-w
+bind -n M-Left select-pane -L
+bind -n M-Right select-pane -R
+bind -n M-Up select-pane -U
+bind -n M-Down select-pane -D
+
+# enable mouse control
+set -g mouse on
+
+# don't rename windows automatically
+set-option -g allow-rename off
+
+# don't do anything when a 'bell' rings
+set -g visual-activity off
+set -g visual-bell off
+set -g visual-silence off
+setw -g monitor-activity off
+set -g bell-action none
+
+# clock mode
+setw -g clock-mode-colour yellow
+
+# copy mode
+setw -g mode-style 'fg=black bg=red bold'
+setw -g mode-keys vi
+
+# panes
+set -g pane-border-style 'fg=red'
+set -g pane-active-border-style 'fg=yellow'
+
+# statusbar
+set -g status-position bottom
+set -g status-justify left
+set -g status-style 'fg=blue'
+set -g status-interval 1
+
+set -g status-left ''
+set -g status-left-length 10
+
+set -g status-right-style 'fg=black bg=blue'
+set -g status-right '%Y-%m-%d %H:%M:%S '
+set -g status-right-length 50
+
+setw -g window-status-current-style 'fg=black bg=blue'
+setw -g window-status-current-format ' #I #W #F '
+
+setw -g window-status-style 'fg=blue bg=black'
+setw -g window-status-format ' #I #[fg=white]#W #[fg=blue]#F '
+
+setw -g window-status-bell-style 'fg=blue bg=red bold'
+
+# messages
+set -g message-style 'fg=yellow bg=red bold'
+
+# bind : to command-prompt like vim
+# this is the default in tmux already
+bind : command-prompt
diff --git a/roles/alpine/files/zshrc b/roles/alpine/files/zshrc
new file mode 100644
index 0000000..fc01188
--- /dev/null
+++ b/roles/alpine/files/zshrc
@@ -0,0 +1,54 @@
+# zsh shell initalization file
+
+# export 'SHELL' and 'TERM' to child processes
+export SHELL
+export TERM
+
+# check for non-interactive shell.
+if [[ $- != *i* ]]; then
+    # We are being invoked from a non-interactive shell.  If this
+    # is an SSH session (as in "ssh host command"), source
+    # /etc/profile so we get PATH and other essential variables.
+    [[ -n "$SSH_CLIENT" ]] && source /etc/profile
+
+    # Don't do anything else.
+    return
+fi
+
+# load zsh plugins
+setopt extendedglob
+bindkey -e
+autoload -U compinit
+compinit
+autoload -U colors && colors
+setopt promptsubst
+
+# prompt
+function prompt_char {
+    if [ $UID -eq 0 ]; then echo "#"; else echo "$"; fi
+}
+PROMPT='%(!.%F{9}.%F{10})%n@%m: %F{15}%c%F{12}$(prompt_char)%F{7} '
+PROMPT2='%_%F{12}:%F{15} '
+
+# aliases
+alias ls='ls --color=auto'
+alias rf="rm -fr" # remove le french hon hon hon
+alias vim="nvim"
+
+# manpages
+export LESS_TERMCAP_md=$'\e[1;36m'
+export LESS_TERMCAP_me=$'\e[0m'
+export LESS_TERMCAP_se=$'\e[0m'
+export LESS_TERMCAP_so=$'\e[1;92m'
+export LESS_TERMCAP_ue=$'\e[0m'
+export LESS_TERMCAP_us=$'\e[1;35m'
+export GROFF_NO_SGR=1
+
+# keybinds
+bindkey "\e[1;5D" backward-word
+bindkey "\e[1;5C" forward-word
+bindkey "\e[3;5~" kill-word
+bindkey "\C-_"    backward-kill-word
+bindkey "\e[3~" delete-char
+bindkey "\e[H"  beginning-of-line
+bindkey "\e[F"  end-of-li
diff --git a/roles/alpine/tasks/caddy.yml b/roles/alpine/tasks/caddy.yml
new file mode 100644
index 0000000..b76caee
--- /dev/null
+++ b/roles/alpine/tasks/caddy.yml
@@ -0,0 +1,27 @@
+- name: Install caddy
+  apk:
+    name:
+      - caddy
+    state: present
+
+- name: Configure caddy
+  copy:
+    src: Caddyfile
+    dest: /etc/caddy/Caddyfile
+    owner: root
+    group: root
+    mode: '0664'
+
+- name: Ensure Caddy log file exists
+  file:
+    path: /var/log/caddy
+    state: touch
+    owner: caddy
+    group: caddy
+    mode: '0664'
+
+- name: Enable caddy service
+  service:
+    name: caddy
+    enabled: true
+    state: started
diff --git a/roles/alpine/tasks/certs.yml b/roles/alpine/tasks/certs.yml
new file mode 100644
index 0000000..4d18cbe
--- /dev/null
+++ b/roles/alpine/tasks/certs.yml
@@ -0,0 +1,15 @@
+- name: Install ca-certificates
+  apk:
+    name: ca-certificates
+    state: present
+
+- name: Install FreyaNET Root CA Cert
+  copy:
+    src: freyanet.crt
+    dest: /usr/local/share/ca-certificates/freyanet.crt
+    owner: root
+    group: root
+    mode: '0664'
+
+- name: Update CA certs
+  command: update-ca-certificates
diff --git a/roles/alpine/tasks/chrony.yml b/roles/alpine/tasks/chrony.yml
new file mode 100644
index 0000000..be76de5
--- /dev/null
+++ b/roles/alpine/tasks/chrony.yml
@@ -0,0 +1,11 @@
+- name: Install chrony
+  apk:
+    name:
+      - chrony
+    state: present
+
+- name: Enable chronyd service
+  service:
+    name: chronyd
+    enabled: true
+    state: started
diff --git a/roles/alpine/tasks/main.yml b/roles/alpine/tasks/main.yml
new file mode 100644
index 0000000..ab96669
--- /dev/null
+++ b/roles/alpine/tasks/main.yml
@@ -0,0 +1,13 @@
+# baseline
+- import_tasks: repos.yml
+- import_tasks: packages.yml
+- import_tasks: certs.yml
+
+# programs
+- import_tasks: zsh.yml
+- import_tasks: tmux.yml
+
+# services
+- import_tasks: caddy.yml
+- import_tasks: chrony.yml
+- import_tasks: ssh.yml
diff --git a/roles/alpine/tasks/packages.yml b/roles/alpine/tasks/packages.yml
new file mode 100644
index 0000000..8dedc53
--- /dev/null
+++ b/roles/alpine/tasks/packages.yml
@@ -0,0 +1,31 @@
+- name: Install base packages
+  apk:
+    name:
+      - alpine-base
+      - bash
+      - bind-tools
+      - busybox-mdev-openrc
+      - cfdisk
+      - coreutils
+      - curl
+      - dosfstools
+      - e2fsprogs
+      - git
+      - htop
+      - jq
+      - linux-firmware-none
+      - linux-virt
+      - lsblk
+      - man-db
+      - man-pages
+      - neovim
+      - openssl
+      - p7zip
+      - python3
+      - ripgrep
+      - rsync
+      - sed
+      - shadow
+      - syslinux
+      - xauth
+    state: present
diff --git a/roles/alpine/tasks/repos.yml b/roles/alpine/tasks/repos.yml
new file mode 100644
index 0000000..f08997c
--- /dev/null
+++ b/roles/alpine/tasks/repos.yml
@@ -0,0 +1,10 @@
+- name: Configure APK repositories
+  template:
+    src: repositories.j2
+    dest: /etc/apk/repositories
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Update apk cache
+  command: apk update
diff --git a/roles/alpine/tasks/ssh.yml b/roles/alpine/tasks/ssh.yml
new file mode 100644
index 0000000..c92405e
--- /dev/null
+++ b/roles/alpine/tasks/ssh.yml
@@ -0,0 +1,27 @@
+- name: Install openssh
+  apk:
+    name:
+      - openssh
+    state: present
+
+- name: Configure sshd
+  copy:
+    src: sshd_config
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: '0664'
+
+- name: Configure sshd authorized keys
+  template:
+    src: authorized_keys.j2
+    dest: /etc/ssh/authorized_keys
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Enable sshd service
+  service:
+    name: sshd
+    enabled: true
+    state: started
diff --git a/roles/alpine/tasks/tmux.yml b/roles/alpine/tasks/tmux.yml
new file mode 100644
index 0000000..bc5626f
--- /dev/null
+++ b/roles/alpine/tasks/tmux.yml
@@ -0,0 +1,21 @@
+- name: Install tmux
+  apk:
+    name:
+      - tmux
+    state: present
+
+- name: Configure tmux
+  copy:
+    src: tmux.conf
+    dest: /etc/tmux.conf
+    owner: root
+    group: root
+    mode: '0664'
+
+- name: Configure tmux window script
+  copy:
+    src: tmux-window.sh
+    dest: /usr/local/bin/tmux-window.sh
+    owner: root
+    group: root
+    mode: '0755'
diff --git a/roles/alpine/tasks/zsh.yml b/roles/alpine/tasks/zsh.yml
new file mode 100644
index 0000000..27f45d2
--- /dev/null
+++ b/roles/alpine/tasks/zsh.yml
@@ -0,0 +1,18 @@
+- name: Install zsh
+  apk:
+    name:
+      - zsh
+    state: present
+
+- name: Configure zsh
+  copy:
+    src: zshrc
+    dest: /etc/zsh/zshrc.d/freya.zsh
+    owner: root
+    group: root
+    mode: '0664'
+
+- name: Ensure root user shell is zsh
+  user:
+    name: root
+    shell: /bin/zsh
diff --git a/roles/alpine/templates/authorized_keys.j2 b/roles/alpine/templates/authorized_keys.j2
new file mode 100644
index 0000000..d9f6386
--- /dev/null
+++ b/roles/alpine/templates/authorized_keys.j2
@@ -0,0 +1,3 @@
+{% for key in ssh_authorized_keys %}
+{{ key }}
+{% endfor %}
diff --git a/roles/alpine/templates/repositories.j2 b/roles/alpine/templates/repositories.j2
new file mode 100644
index 0000000..87cad70
--- /dev/null
+++ b/roles/alpine/templates/repositories.j2
@@ -0,0 +1,2 @@
+http://dl-cdn.alpinelinux.org/alpine/{{ alpine_version }}/main
+http://dl-cdn.alpinelinux.org/alpine/{{ alpine_version }}/community
diff --git a/roles/update/tasks/alpine.yml b/roles/update/tasks/alpine.yml
new file mode 100644
index 0000000..566a006
--- /dev/null
+++ b/roles/update/tasks/alpine.yml
@@ -0,0 +1,11 @@
+- name: Ensure repositories are configured
+  include_role:
+    name: alpine
+    tasks_from: repos
+
+- name: Upgrade all packages
+  apk:
+    upgrade: yes
+
+- name: Clear package cache
+  command: apk cache clean
diff --git a/roles/update/tasks/main.yml b/roles/update/tasks/main.yml
new file mode 100644
index 0000000..c64d3c2
--- /dev/null
+++ b/roles/update/tasks/main.yml
@@ -0,0 +1,4 @@
+
+- name: Update Alpine
+  include_tasks: alpine.yml
+  when: "'alpine' in group_names"
diff --git a/update.yml b/update.yml
new file mode 100644
index 0000000..6f7b577
--- /dev/null
+++ b/update.yml
@@ -0,0 +1,5 @@
+- name: Update Alpine VMs
+  hosts: all
+  become: true
+  roles:
+    - update